Security specialists have some specific advice for facility managers who want to be sure they get an effective security evaluation.

First, says Ahrens, the scope of the project should be extremely clear. Do you want an overall security assessment, or do you just want your current theft problem looked at? Spell out clearly what you're looking for.

Facility managers should also ensure that the evaluation document is written in a professional tone that doesn't invite liability. Ahrens mentions security surveys he's seen that use heart-stopping language — heart-stopping for a legal department — like this: "It's not a matter of if, but when, this incident will occur." And: "In my 10 years of law enforcement, this is the worst thing I have ever seen."

The final issue is maintaining control of what are sensitive, confidential security evaluations and the people who have access to them.

Mitchell stresses that a third party needs to do the assessment. He recommends a trained, experienced, certified consultant who uses commonly recognized standards, he says, like those set out by OSHA and ASIS.

Mitchell has learned to insist, when signing a consulting contract, that senior leadership will be present and involved with him during the assessment. That's because it often takes senior staff to authorize the needed fixes and loosen the purse strings.

Both Doss and Ahrens say that a written security evaluation and its recommendations are risky for a facility to ignore (though it certainly happens). Why? Because that document now describes specific vulnerabilities and corrective recommendations in writing. If the facility does nothing about a documented problem and something happens to an employee or visitor as a result, then liability — and the prospect of a much larger legal settlement — become potential huge issues.

A security audit opens up an entire discussion, Mitchell notes, one that is about much more than just barbed wire and locks. He wants, for example, to see the "post orders" — the documents that set out security duties and responsibilities in given scenarios. "It's not just about the stuff; it's about the procedures, how we behave, what we do when this and that happens. What if this, what if that? It gets very complicated," Mitchell says.

"Once someone penetrates the facility, who's going to respond? How are they trained? Do we have a chain of command? Does our response work as well at 6:30 p.m. as 8:30 a.m. when everybody's here?" Until those questions get asked, and a plan is developed to address problems, Mitchell says, discussions about security are "just cocktail conversations."